TITLE: Linksys WRT54G UPnP Port Mapping Vulnerability SECUNIA ADVISORY ID: SA20161 VERIFY ADVISORY: http://secunia.com/advisories/20161/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: Linksys WRT54G Wireless-G Broadband Router http://secunia.com/product/3523/ DESCRIPTION: Armijn Hemel has reported a vulnerability in Linksys WRT54G, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to missing authentication of UPnP AddPortMapping requests and missing validation of the InternalClient parameter of the request. This can be exploited by hosts on the local network to configure port forwarding settings on the device to forward incoming traffic to arbitrary hosts without requiring authentication. Successful exploitation may allow the device to be configured to forward traffic that is received on specific ports on the external interface to another host on the Internet. SOLUTION: Update to firmware version 1.00.9. http://www.linksys.com/servlet/Satellite?c=L_Download_C2&childpagename=US%2FLayout&cid=1115417109974&packedargs=sku%3D1127782957298&pagename=Linksys%2FCommon%2FVisitorWrapper PROVIDED AND/OR DISCOVERED BY: Armijn Hemel ORIGINAL ADVISORY: http://www.securityview.org/how-does-the-upnp-flaw-works.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------